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DETAILED ACTION 

1. This Office action is responsive to the following communication: Amendment filed on 22 June 
2009. 

2. Claims 98-104 are pending and present for examination. 

Response to Amendment 

3. Claim 98 has been amended. 

4. No claims have been further cancelled. 

5. No claims have been newly added. 

Specification 

6. Applicant's Amendment has been acknowledged. Accordingly, the objection to the Specification 
has been withdrawn. 

Claim Rejections - 35 USC § 101 

7. 35 U.S.C. 101 reads as follows: 

Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or 
any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and 
requirements of this title. 

8. Applicant's Amendment has been acknowledged. Accordingly, the rejection under 35 U.S.C. 101 
has been withdrawn. 

Claim Rejections - 35 USC § 103 

9. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all obviousness 
rejections set forth in this Office action: 
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(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented 
and the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

10. Claims 98 and 101 are rejected under 35 U.S.C. 103(a) as being unpatentable over Bapat et al, 
U.S. Patent No. 6,038,563 (hereinafter referred to as BAPAT), filed on 25 March 1998, and issued on 14 
March 2000, in view of Glasser et al, U.S. Patent No. 5,956,715 (hereinafter referred to as Glasser), filed 
on 23 September 1996, and issued on 21 September 21 1999. 

11. As per independent claim 98, BAPAT, in combination with Glasser, discloses: 

A computer readable medium having code to perform a computer implemented method 
for protecting a database hosted on a server, comprising: 

installing a console on a remote computer system for monitoring activity on the 

database {See BAPAT, C4:L58-65, wherein this reads over "a network management system 100 
having an access control engine (ACE) 102 that restricts access by initiators (e.g., users, and 
application programs acting on behalf of users) to the managed objects in a network"} , the 
remote computer system having a first tangible computer readable medium -rsee 

GLASSER, C6:L17-20, wherein this reads over "Client 130 can include a floppy disk drive or other 
persistent storage device"}; 

presenting the installed console through a user interface {See glasser, C5:Li3-i6, 

wherein this reads over "a user interface component 180, which is used in accessing a file or folder 
on hard disk 121 remotely from another node of network 110"}; 

the user interface being displayed on a monitor {See glasser, C5:Li3-i6, wherein this reads 

over "a user interface component 180, which is used in accessing a file or folder on hard disk 121 
remotely from another node of network 110"}i 

registering a listener agent with the console {See bapat, C5:L44, wherein this reads over "user 

information, identifying the request initiator"; C9:L46-61, wherein this reads over "access rules are 

defined in terms of access rights of groups" }, the server having a second tangible 

Compute readable medium {See BAPAT, C7:L37-38, wherein this reads over "memory 164, 
including both volatile high speed RAM and non-volatile storage such as magnetic disk storage"}; 

the listener agent being installed on the server hosting the database {See bapat, 

C8:L18-29, wherein this reads over "The MIS 150 and auxiliary servers 152, 154 all maintain identical 
copies of a library of access control procedures as well as a copy of the access control object tree"}; 

establishing a secure connection between the console and the listener agent {See 

BAPAT, C4:L58-65, wherein this reads over "a network management system 100 having an access 
control engine (ACE) 102 that restricts access by initiators (e.g., users, and application programs 
acting on behalf of users) to the managed objects in a network"}; 



the console and the listening agent monitoring activity at an application level of the 



database {See BAPAT, C4:L58-65, wherein this reads over "a network management system 100 
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having an access control engine (ACE) 102 that restricts access by initiators (e.g., users, and 
application programs acting on behalf of users) to the managed objects in a network"}; 

configuring the listener agent with a first set of rules having a set of security 

attributes {See BAPAT, C17:L3-14, wherein this reads over "[t]his filter 291 passes "access grant" 
and "access denial" event notifications generated by the MIS"}; 

installing a collector agent to be in communication with the listener agent for 

Collecting a plurality Of database events {See BAPAT, C17:L3-14, wherein this reads over 
"[t]his filter 291 passes "access grant" and "access denial" event notifications generated by the 
MIS"}; 

deconstructing the plurality of database events into a plurality of atomic messages 

{See BAPAT, C18:L24-27, wherein this reads over "[u]ser queries requesting information from tables 
to which the user does not have access rights are rejected by the SQL engine"}; 

analyzing the plurality of atomic messages for compliance with the first set of rules 

{See BAPAT, C17:L15-19, wherein this reads over "a Security Alarm log 293 that is separate from the 
security audit trail 192, where security alarms are generated and stored in the log only when there is 
a denial of object access"}; 

executing compliant database events {See BAPAT, C18:L19-27, wherein this reads over "only 
queries in full compliance with those access rights are processed"; and C28:L31-37, wherein this 
reads over "[ajccess is allowed only for the objects to which the user has appropriate access 
rights"}; 

sending a signal to a console operator when a database event is not compliant with 
the first set of rules {See BAPAT, C12:L19-26, wherein this reads over "[i]f a match is found, the 
request is denied, and a response is returned to the initiator if appropriate"}; 

allowing a console operator to create exceptions to the first set of rules when signals 
are sent by the listener agent {See BAPAT, C11:L39-51, wherein this reads over "users 
authorized to modify the access control tree"}; 

updating the first set of rules with the exceptions created by the console operator 

{See BAPAT, C11:L39-51, wherein this reads over "users authorized to modify the access control 
tree"}; 

storing the signals received by the console operator in a data file residing with the 

console {See BAPAT, C12:L56-57, wherein this reads over "[t]he deny/grant decision for each 
access request may be stored in a security audit trail"} , in association with the second 

tangible computer readable medium . 
While BAPAT may fail to expressly disclose the features related to the recited remote computer 
system, GLASSER discloses a system for controlling user access to a network server wherein the client 
components include a persistent storage device and a user interface component for connecting with the 
network server. Wherein BAPAT discloses a managed information object system wherein users connect 
and access data via an access control server, it would have been obvious to one of ordinary skill in the 
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art to modify said invention with that disclosed by GLASSER such that a client may utilize a user interface 
to communicate with the access control server. 

One of ordinary skill in the art would have been motivated to make the aforementioned 
modification such that the client may remotely access and monitor activity on the database of an access 
server. 

12. As per independent claim 101, BAPAT, in combination with GLASSER, discloses: 

The computer readable medium having code to perform the computer implemented 
method for protecting the database of Claim 98, wherein the step of analyzing 
further comprises the steps of: 

determining whether an executable SQL statement contains a write operation to 

a data dictionary {See BAPAT, C6:L4-11, wherein this reads over "[i]f a suspicious directory 
name is found 68, the control function is notified"}; 

preventing the data dictionary from being written to {See bapat, ci2:Li9-26, wherein 

this reads over "[i]f a match is found, the request is denied, and a response is returned to the 
initiator if appropriate"}. 

13. Claim 99 is rejected under 35 U.S.C. 103(a) as being unpatentable over BAPAT as applied to 
claims 89 and 90, in view of GLASSER, and further in view of Shostack et al (U.S. Patent No. 6,298,445, 
hereinafter referred to as SHOSTACK), filed on 30 April 1998, and issued on 2 October 2001. 

14. As per dependent claim 99, BAPAT, in combination with GLASSER and SHOSTACK, discloses: 

The computer readable medium having code to perform the computer implemented 
method for protecting the database of Claim 98, wherein the step of analyzing 
further comprises the steps of: 

determining whether the plurality of atomic database events include an executable 
SQL statement that exploits a buffer overflow vulnerability in the database {See 

SHOSTACK, Table 1, wherein this reads over "Check for known bugs in the servers . . that are 
vulnerable to buffer overflow attacks" and "X-windows. Check for open permissions that allow 
snooping of remote X session, unpatched libraries and executables vulnerable to buffer overflow 
attacks"}; 

preventing the executable SQL statement from executing {See bapat, ci2:Li9-26, wherein 

this reads over "[i]f a match is found, the request is denied, and a response is returned to the 
initiator if appropriate"}. 

While BAPAT fails to expressly disclose a method of "processing the plurality of database events 
by detecting whether an executable SQL statement exploits a buffer overflow vulnerability in the 
database," SHOSTACK discloses a method of check for buffer overflow vulnerabilities. Therefore, it would 
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have been obvious to one of ordinary skill in the art at the time the invention was made to modify the 
above invention suggested by BAPAT and GLASSER by combining it with the invention disclosed by 
ROWLAND. 

One of ordinary skill in the art would have been motivated to do this modification so that 
suspicious or malicious activity may be detected and prevented accordingly. 

15. Claim 100 is rejected under 35 U.S.C. 103(a) as being unpatentable over BAPAT as applied to 
claims 89 and 90, in view of GLASSER, and further in view of Reshef et al (U.S. Patent No. 6,321,337, 
hereinafter referred to as RESHEF), filed on 9 September 1998, and issued on 20 November 2001. 

16. As per dependent claim 100, BAPAT, in combination with GLASSER and RESHEF, discloses: 

The computer readable medium having code to perform the computer implemented 
method for protecting the database of Claim 98, wherein the step of analyzing futher 
comprises the steps of: 

detecting whether an executable SQL statement includes an operating system call {See 
RESHEF, C10:L 21-35, wherein this reads over "[a]ny breach of the permitted flow sequences by 
disorderly operating system calls or looping will be trapped and logged"}; 

preventing the executable SQL statement from making the operating system call {See 

BAPAT, C12:L19-26, wherein this reads over "[i]f a match is found, the request is denied, and a response 
is returned to the initiator if appropriate"}. 

While BAPAT fails to expressly disclose a method of "detecting an executable statement includes 
an operating system call," RESHEF discloses a method of checking for operating system calls which result 
in a breach of permitted flow sequences. Therefore, it would have been obvious to one of ordinary skill 
in the art at the time the invention was made to modify the above invention suggested by BAPAT and 
GLASSER by combining it with the invention disclosed by RESHEF. 

One of ordinary skill in the art would have been motivated to do this modification so that 
suspicious or malicious activity may be detected and prevented accordingly. 

17. Claims 102-104 are rejected under 35 U.S.C. 103(a) as being unpatentable over BAPAT as 
applied to claims 89 and 90, in view of GLASSER, and further in view of Rowland (U.S. Patent No. 
6,405,318, hereinafter referred to as ROWLAND), filed on 12 March 1999, and issued on 11 June 2002. 

18. As per dependent claim 102, BAPAT, in combination with GLASSER and ROWLAND, discloses: 
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The computer readable medium having code to perform the computer implemented 
method for protecting the database of Claim 98, wherein the step of analyzing 
further comprises the steps of: 

determining whether an executable SQL statement alters a set of auditing 
configurations existing on the database {See Rowland, C5:L6i-67, wherein this reads 

over "name a local directory in an odd way to hide their work"}; 

preventing the set of auditing configurations from being altered {See bapat, ci2:Li9-26, 
wherein this reads over "[i]f a match is found, the request is denied, and a response is returned to 
the initiator if appropriate"}. 

While BAPAT fails to expressly disclose a method "wherein said unauthorized activity is interfering 
with auditing settings," ROWLAND discloses a method wherein suspicious directory activity is detected 
{See ROWLAND, C5:L61-67}. Therefore, it would have been obvious to one of ordinary skill in the art at 
the time the invention was made to modify the above invention suggested by BAPAT and GLASSER by 
combining it with the invention disclosed by ROWLAND. 

One of ordinary skill in the art would have been motivated to do this modification so that 
suspicious or malicious activity may be detected and prevented accordingly. 

19. As per dependent claim 103, BAPAT, in combination with GLASSER and ROWLAND, discloses: 

The computer readable medium having code to perform the computer implemented 
method for protecting the database of Claim 98, wherein the step of analyzing 
further comprises the steps of: 

determining whether an executable SQL statement includes a write operation to a set 
of audit records existing in a log file {See Rowland, C6:L4-ii, wherein this reads over 

"[t]he system checks to determine if the system audit records have been altered or are missing"}; 

preventing the audit records existing in the log file from being written to {See bapat, 

C12:L19-26, wherein this reads over "[i]f a match is found, the request is denied, and a response is 
returned to the initiator if appropriate"}. 

While BAPAT fails to expressly disclose a method "wherein said unauthorized activity is interfering 
with audit records," ROWLAND discloses a method wherein "[t]he system checks to determined if the 
system audit records have been altered or are missing" {See ROWLAND, C6:L4-11}. Therefore, it would 
have been obvious to one of ordinary skill in the art at the time the invention was made to modify the 
above invention suggested by BAPAT and GLASSER by combining it with the invention disclosed by 
ROWLAND. 
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One of ordinary skill in the art would have been motivated to do this modification so that 
suspicious or malicious activity may be detected and prevented accordingly. 

20. As per dependent claim 104, BAPAT, in combination with GLASSER and ROWLAND, discloses: 

The computer readable medium having code to perform the computer implemented 
method for protecting the database of Claim 98, wherein the step of analyzing 
further comprises: 

the steps of: determining whether an executable SQL statement includes an attempt 
by a user to obtain administrator access by changing a configuration file in the 

database {See ROWLAND, C5:L53-56, wherein this reads over "[t]he system examines the rhost 
file and other system authentication files to determine if dangerous security modifications to the host 
file have occurred"}; 

preventing the configuration file in the database from being changed {See bapat, 
C12:L19-26, wherein this reads over "[i]f a match is found, the request is denied, and a response is 
returned to the initiator if appropriate"}. 

While BAPAT fails to expressly disclose a method "wherein said unauthorized activity is modifying 
security settings," ROWLAND discloses a method wherein "[t]he system examines the rhost file and other 
system authentication files to determine if dangerous security modifications to the host file have 
occurred" {See ROWLAND, C5:L53-56}. Therefore, it would have been obvious to one of ordinary skill in 
the art at the time the invention was made to modify the above invention suggested by BAPAT and 
GLASSER by combining it with the invention disclosed by ROWLAND. 

One of ordinary skill in the art would have been motivated to do this modification so that 
suspicious or malicious activity may be detected and prevented accordingly. 

Response to Arguments 

21. Applicant's arguments with respect to claim 98 have been considered but are moot in view of the 
new ground(s) of rejection. 
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Conclusion 

22. Applicant's amendment necessitated the new ground(s) of rejection presented in this Office 
action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of 
the extension of time policy as set forth in 37 CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE MONTHS from 
the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date 
of this final action and the advisory action is not mailed until after the end of the THREE-MONTH 
shortened statutory period, then the shortened statutory period will expire on the date the advisory 
action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing 
date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX 
MONTHS from the date of this final action. 

23. Any inquiry concerning this communication or earlier communications from the examiner should 
be directed to PAUL KIM whose telephone number is (571)272-2737. The examiner can normally be 
reached on M-F, 9am - 5pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, 
Tony Mahmoudi can be reached on (571) 272-4078. The fax phone number for the organization where 
this application or proceeding is assigned is 571-273-8300. 
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Information regarding the status of an application may be obtained from the Patent Application 
Information Retrieval (PAIR) system. Status information for published applications may be obtained from 
either Private PAIR or Public PAIR. Status information for unpublished applications is available through 
Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 
866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or 
access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

/Tony Mahmoudi/ Paul Kim 

Supervisory Patent Examiner, Art Unit 2169 Examiner, Art Unit 2169 

/pk/ 



